Dial “M” for malware: Two-factor scamming

Adversaries are developing new ways of attacking you using old forms of communication. Make sure your communication of this issue is equally as effective.

Social engineering is a term that covers a broad spectrum of malicious activity and tactics to “exploit the human”. Often this involves tricking them into divulging information or performing tasks that assist an attacker. In recent incidents, we noted the use of phone calls as a pre-requisite to a cyber-attack but how are attackers increasingly using this tactic?

In one recent incident, UK-based educational institutions were warned of a campaign targeting them with ransomware. The attack was initiated by a cold-caller purportedly from the ‘Department of Education’ (rather than the Department for Education) requesting the email address of a senior employee, usually the head teacher. The caller alleged that they had sensitive documents which needed to be sent to the individual rather than a generic inbox. The victim was then targeted with a phishing email containing a malicious attachment seeking to infect them with ransomware.

In another example, the organized criminal group Carbanak (aka Anunak) also used phone calls as part of their tactics. They reportedly targeted multiple companies in the hospitality sector with malware, potentially to harvest bank card information from point of sale devices. This involved phoning the company claiming to be unable to access an online reservation, emailing them a fraudulent reservation document, and staying on the call whilst the recipient opened the document and inadvertently infected their system with information harvesting malware.

Similarly “technical support scams” are another popular tactic whereby users receive calls from a phony tech support or “Windows Support Centre” offering to remove a virus or resolve an imaginary technical problem. Some offer to do this for a fee; others appear more altruistic. The victim is directed to install software which would grant the threat actor remote access to their system, following which a variety of malicious acts are undertaken including malware infection and data theft. TalkTalk customers were warned of these kinds of scams after a customer data breach in October 2015.

As education and awareness grows regarding the threats of malicious emails and suspicious documents, the addition of the phone-call introduces a new and personalized aspect to the scam. It highlights the efforts to which some threat actors will go, as well as the creativity involved. Accessing the necessary contact telephone numbers is relatively simple. Companies and organizations often publicize a general enquiry number, and the actors then rely on deceiving staff and employees to divulge employee personal contact details. Public directories have long been used by fraudsters for cold-calling, a tactic which has simply been adopted by cyber threat criminals as well. Below is a table highlighting the Strengths, Weaknesses, Opportunities and Threats (SWOT) of this particular scam. SWOT is an effective tool providing both a current view of the threat from the attacker’s point of view, and also an element of forecasting.

Fig 1: A SWOT of the cold-calling tactic

Along with efforts to educate employees on the associated risks, another line of defence is for companies to use call answering services, which can help to triage out potential malicious calls. The advice is to treat all unsolicited calls with scepticism and suspicion, do not provide personal or financial information to the caller, and certainly do not agree to install software on to your device unless you are confident of its purpose. As with all scams, it’s better to be safe than sorry.

Organizations affected by data breaches, which then may expose customers or employees to these kinds of approaches are advised to develop “playbooks” of how to respond in the event of such incidents happening. This might include the reissue of credentials where possible and the provision of appropriate guidance and awareness to those individuals affected.